Security researchers at IBM admire the iPhone's apparent security but note it will suffer from its fair share of attacks.

By Sharon Gaudin
InformationWeek
Jun 21, 2007 04:53 PM

With so many people anxiously holding their breath while simultaneously counting their pennies till Apple's iPhone ships next week, some researchers -- and probably many IT managers -- are wondering how secure this latest smart phone is going to be.

Well, according to IBM's security division, Internet Security Systems, the iPhone will have one thing going for it, at the same time it has one thing going against it, making for what should be an interesting product to track. The plus side is that it should take a pretty sophisticated hacker to break into the phone's system, but the negative is that all the frenzy that has been building up around the iPhone's release means many hackers will be inspired to try.

"We've been following it since it was announced," said Neel Mehta, the team lead of advance research group at ISS, in an exclusive interview with InformationWeek. "It's going to be challenging for the bad guys to exploit them like they do other [smart phones] but there will be a lot of individuals willing to try because of the amount of buzz around it... We've seen some very determined attacks on other mobile phone platforms, like the Symbian platform. A lot of these attacks are going to be very hard to launch against the iPhone."

A spokesperson with Apple declined to comment on the iPhone's security features.

Since Apple has been holding any prototypes of the iPhone extremely close to the vest, IBM's security researchers analyzed whatever information they could glean about the new phone that is a three-way combination of wide-screen iPod, cell phone, and Internet communications device. Mehta said they know the phone will run on Apple's OS X operating system, will use its Safari browser, and won't come with a software developer's kit. Researchers also evaluated how Apple deals with security updates and patches for its other products, like the Mac and the popular iPod.

Until Mehta and his researchers can get their hands on an actual iPhone, they're going on what they do know about the machine.

And one major thing they've been focusing on is that the iPhone won't have a software developer's kit. While that makes it harder for third-party vendors to make software for the phone, it's also going to make it a lot harder for hackers and malware writers to take advantage of it.

"They're not telling anyone how to write applications that run on the iPhone," said Mehta. "It's going to be much harder to write worms or viruses for that platform. Most malware written today for mobile platforms has been developed using software developer kits from the manufacturers. The lack of that on the iPhone will make it harder for people to develop malware for it."

He said another positive is that Apple historically has made it pretty easy to update their products. "That's relatively good news for the iPhone," he added. "We suspect the ability to update the phone will be relatively painless and robust. That's been a major problem with other smart phones. Many people will buy a smart phone and never update the firmware on it... Computers that run OS X have automated update mechanisms and looked at how easy it is to update firmware on iPods. It's very painless. It's just one click within the iTunes software."

Easier updates mean users will be more likely to stay current with upgrades and patches, so they'll be more protected from malware.

Mehta also noted that it should be easier to update the iPhone because, by nature, it frequently will be connected to a computer to download music. Going by how Apple updates its other products, the company could set it up so updates and patches will be pushed out to the phone whenever it's connected to a Mac or PC.

But it's not all positive security expectations.

The biggest negative at this point is simply the amount of buzz around the launch of the iPhone, according to Mehta.

"Apple is good about creating interest about a product even before it's released," he added. "This will make the iPhone a definite target, at least by security researchers."

He also noted that since the iPhone is going to run the OS X operating system, as well as Safari, there's a good chance that any bugs in those pieces of software will be in the scaled down iPhone versions. If hackers know where the bugs are in one version, they'll have a very good idea of where to look for holes in the iPhone.

"There's bugs in Safari for Windows," noted Mehta. "There's speculation that these vulnerabilities will also affect the iPhone... And there's a good chance that we'll see vulnerabilities that affect the mainstream version of OS X affect the iPhone. That, to some degree, offsets the fact that it's a closed development platform. It gives people with malicious intent something to look at and work off of."

Mehta also said that fact that the iPhone is such a complex machine -- a music player, a video player, a Web browser, and, Oh yeah, a phone -- means that there's simply a lot more room for problems.

"It will receive content and media from many different sources," he said. "Smart phones today are relatively powerful and complex and can do many things a PC can. Think of it as compact computing device. As these devices become more complex they also become harder to secure... A basic principle of software security is that the larger the code base you're trying to secure, the harder it is to secure and the more likely you'll find vulnerabilities in the code."

So where does that leave the iPhone's security future?

Mehta said he expects it will be harder to hack than most other smart phones but it's also going to be a prized target, luring an unusual number of hackers to test it out.

"It will likely take a very sophisticated attack and a very sophisticated attacker to compromise an iPhone," he added. It will take a level of sophistication that we haven't seen much of... But there will be a lot of people trying."